From: Ondřej Surý Date: Sat, 14 Feb 2026 13:43:41 +0000 (+0100) Subject: Invalid NSEC3 can cause OOB read of the isdelegation() stack X-Git-Tag: v9.20.20~9^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0d05145e1e36ff4fdf7615f762f58f8000f44e7;p=thirdparty%2Fbind9.git Invalid NSEC3 can cause OOB read of the isdelegation() stack When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a harmless out-of-bound read of the isdelegation() stack. This patch fixes the issue by skipping NSEC3 records with an oversized hash length during validation. (cherry picked from commit 67b4fb56e40bf856e1fccd41e752d5f486b5b569) --- diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c index 600a90f9bd9..9f4d4e5a998 100644 --- a/lib/dns/rdata/generic/nsec3_50.c +++ b/lib/dns/rdata/generic/nsec3_50.c @@ -313,6 +313,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) { nsec3->len = region.length; nsec3->typebits = mem_maybedup(mctx, region.base, region.length); nsec3->mctx = mctx; + return ISC_R_SUCCESS; } diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 0cd2cfb6c22..4ab4ee407e0 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -340,6 +340,9 @@ trynsec3: if (nsec3.hash != 1) { continue; } + if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) { + continue; + } length = isc_iterated_hash( hash, nsec3.hash, nsec3.iterations, nsec3.salt, nsec3.salt_length, name->ndata, name->length);